Don't be 'shush' over SSH key management

SSL technology has become pretty ubiquitous in recent years following its roll-out by major websites and the need to protect data flow.

One area I was not so familiar with was Secure Shell (SSH), effectively the secure communication between machines rather than machine and man. I recently spoke with Matthew McKenna, head of sales and marketing at inventor SSH Communications Security, who told me that it is one of the three most widely used security protocols (along with SSL and IP Sec).

He said: “It is about secure file transfer and possibility for secure remote access to tunnel into remote servers for Unix administrators. This is used for servers with financial data, for example in financial services and retail.”

According to McKenna, one of the main issues around this technology is key management and, over the years, millions of SSH key ‘pairs' have been created, but with many undeleted or unaccounted for.

He said that the pairing of a private and public key approves access to the server but the challenge is knowing who has access to which key and, therefore, which server.

“You can create a new key, but a user may take it and share it and there is no way of seeing it, so it is a huge risk as you are still accessing critical data,” he said.

“Also, when people leave an organisation, do human resources tell IT? No, the keys stay with them and organisations are not focused on key removal and reclassification. You have to remove and rotate the keys and replace them, so that when people leave the organisation you have to resolve it.

“A customer is supposed to rotate keys every two years, but that is not possible so, as no one is investing in this area, you approve access through Active Directory.”

Launched at this year's RSA Conference in San Francisco is the User Key Management Tool from SSH, which it claims will address these headaches by automating the process of identifying, organising and managing the abundance of private and public SSH keys in circulation within an organisation.

It said that this is an extension of its SSH Information Integrity Platform, and will serve to provide enterprises with the ability to identify, organise and maintain trust relationships of applications, user and service accounts to their respective target SSH servers through the management of public and private keys.

Tatu Ylönen, CEO of SSH Communications Security and inventor of SSH-1, said: “Enterprises' most critical data and applications are often transported and housed on SSH and OpenSSH servers.

“Those enterprises using public key authentication to manage access to those servers are faced with a significant challenge today in terms of knowing who and what may access those servers. This is not only a major security and compliance risk, it is also a cost issue, but many organisations manage this function manually with little or no oversight.”

McKenna said this is a logical extension of where the company has come from and user feedback has been positive to both the problem and the resolution. “We talk to everybody and we know that everyone is having this problem,” he said.

“We offer three options for the key management tool: via a software deployment; a virtual appliance; or a hardware appliance. We have a central database with a file repository, we do not touch the private keys and the front end can manage the automation process.”

The conversation on SSH reminded me a lot about the conversations on encryption and key management, and the need to be sure of who has what and where it is. This harks back to the basics of data security, and could be a solution to the greatest challenge.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.